[00:00.000 --> 00:08.960]  Okay, sounds good. My name is Matt. I put this all together because I... so basically...
[00:10.940 --> 00:14.380]  I guess, you know, brief who it is real quick.
[00:15.180 --> 00:19.420]  I'm from Louisville, Kentucky. I've been doing computers for a long time.
[00:21.620 --> 00:27.480]  I love it. And lately, the big thing I've been working on are Bogue Bounties.
[00:29.020 --> 00:40.880]  And that kind of actually got me into this. So basically, TLDR on this is
[00:42.660 --> 00:50.480]  Network-Based Unauthenticated Memory Disclosure on a SIFT phone. And I basically played with it
[00:50.480 --> 00:55.820]  and found there's some pretty interesting things that you can pull out of it. And I'm going to
[00:55.820 --> 01:03.720]  show you here. It's worked out pretty cool. The backstory actually goes back to basically DerbyCon
[01:05.220 --> 01:12.700]  2019. So, you know, that was the last DerbyCon, of course,
[01:12.700 --> 01:17.420]  and being from Louisville, naturally, I was made sure I was there.
[01:19.320 --> 01:25.080]  And, you know, they always have a lineup of awesome speakers. But so the first
[01:25.820 --> 01:30.600]  I guess it must have been Saturday, I was on my way to the first talk of the day and I saw this
[01:30.600 --> 01:39.280]  sign over here across the way and I, you know, basically was like drawn to that thing like
[01:40.440 --> 01:49.060]  a bug is drawn to a zapper or something. And so I walked in there and literally did not leave
[01:49.060 --> 01:56.160]  for the rest of the day. And it's so cool, you know, we work on this stuff all the time and
[01:56.160 --> 02:01.740]  hear about the vulnerabilities and deal with them. But to see all the different stuff laid out there
[02:03.300 --> 02:09.280]  from basically, you know, NASs to routers to light bulbs really
[02:11.900 --> 02:16.700]  struck a chord with me, I guess. So I think in that sense,
[02:17.340 --> 02:21.520]  IOT Village really achieved what they were shooting for.
[02:23.860 --> 02:30.960]  So basically, that would have been in September of last year. And
[02:33.340 --> 02:40.980]  I kind of walked away from that with the notion that I wanted to spend some time in the next year
[02:41.720 --> 02:46.760]  hacking on that stuff, coming up with my own basically, you know, ODAs.
[02:48.880 --> 02:55.940]  And so about a month later, I was working on a bug bounty and had an interesting scope because
[02:55.940 --> 03:04.800]  it was basically like all IPs, which normally is like hosts and stuff. And so I thought I would
[03:05.780 --> 03:13.040]  do some recon, you know, follow all the steps, right? Passive recon first. And so I started with
[03:13.040 --> 03:17.660]  Shodan, mostly just to get familiar with it, because I hadn't really used it very much.
[03:17.900 --> 03:23.060]  And actually, I think I had done it wrong, because I didn't end up at the target that I thought I was
[03:23.060 --> 03:29.940]  wanting to end up at. But I basically ended up just browsing through Shodan for a few hours.
[03:29.940 --> 03:37.340]  And like, you know, I never was one to like, sit there and watch cat videos for hours.
[03:38.880 --> 03:45.920]  But once I came across Shodan and all the cool stuff that you can find on there,
[03:45.920 --> 03:54.700]  it's basically like my cat videos, I guess. And so basically, as I'm browsing through here, I
[04:08.250 --> 04:27.680]  I'm scrolling down and let's go back. Yeah, I guess.
[04:38.570 --> 04:41.350]  I imagine you guys probably can't see that very well.
[04:42.410 --> 04:48.710]  So I'm working on how I can make that look better. Give me just one second.
[05:27.770 --> 05:28.810]  Okay.
[05:35.990 --> 05:39.550]  There we go. That's what I was shooting for.
[05:41.110 --> 05:47.750]  Actually that. Okay. So I'm browsing on Shodan. I come across this. Obviously,
[05:47.750 --> 05:51.330]  I have a bunch of stuff marked out right now. So I apologize for that.
[05:52.190 --> 05:58.130]  But, you know, nothing too crazy here. And then I keep scrolling down.
[06:09.310 --> 06:20.030]  Okay. And basically come to this. So clearly what's happened here is, you know, the Shodan
[06:20.030 --> 06:30.290]  server is hitting this web server that's running on a phone over and over 401. And then basically,
[06:31.190 --> 06:37.270]  so they've implemented some security controls, like, you know, basically password lockout.
[06:37.270 --> 06:42.990]  And then it literally just pukes its guts up on you.
[06:43.870 --> 06:51.250]  It's like, oh, you failed your password. And here you go. So, you know, the first time I
[06:51.250 --> 06:57.910]  looked at this, I actually didn't see anything too interesting. You know, obviously, that's memory.
[06:58.310 --> 07:05.010]  Recognize that pretty quickly. But, you know, I didn't really see a whole lot of impact initially.
[07:05.570 --> 07:11.010]  And then so I basically monitored it for a few days and started to see, like,
[07:11.010 --> 07:20.030]  some stiff traffic come across. And so basically, I looked for other devices of this make and model,
[07:20.030 --> 07:29.250]  and there were actually only, like, two or three on the internet. And they didn't always
[07:29.250 --> 07:36.910]  produce this output when you hit the 403. So it's kind of like on that particular day,
[07:36.910 --> 07:41.610]  I happened to just kind of stumble upon that particular device on the day that it was having
[07:41.750 --> 07:58.330]  a bad day. And because I'm, you know, we work on this stuff, and, you know, you're just kind of,
[07:58.330 --> 08:03.350]  you know, you're just kind of looking for some indication of a bug and followed up on it. And
[08:03.350 --> 08:15.240]  it ended up being kind of cool. So I actually just I actually watched that for probably,
[08:16.560 --> 08:23.020]  I don't know, a couple months. And then finally saw enough stuff come across there that I
[08:23.020 --> 08:29.400]  decided, okay, you know, this is obviously a legit vulnerability. But I want to confirm it first and
[08:29.400 --> 08:39.320]  also see, like, what's the impact. And so I went ahead and just bought one. Probably not,
[08:44.050 --> 08:49.550]  you know, the most efficient way of doing it. Certainly, you know, I could have
[08:50.590 --> 08:58.590]  tried to get the firmware and loaded it up on QEMU or Pi or something like that. But
[08:59.210 --> 09:06.150]  in this case, basically, having it already basically worked out for me. It was just kind
[09:06.150 --> 09:16.030]  of a matter of confirming. And so I figured I'll go ahead and just buy the device. I actually ended
[09:16.030 --> 09:21.550]  up so I got it. And, you know, I mean, I've been working on this here and there for a few months
[09:21.550 --> 09:29.190]  at this point. And so like, Amazon dropped it off while I was at work, and I came in and
[09:29.930 --> 09:35.970]  tore it open. And, you know, so within an hour, basically, I've got the thing bricked.
[09:37.370 --> 09:44.010]  You know, because I was thinking, well, let's make sure we have like the latest firmware on it.
[09:44.090 --> 09:49.630]  So we're not like reporting vulnerability on some already patched software. And,
[09:49.630 --> 09:57.110]  and yeah, that device basically never came back. And so that was a little bit discouraging,
[09:57.110 --> 10:02.690]  especially after, you know, spending like 150 bucks on it. But you know, I mean, that's,
[10:02.690 --> 10:10.010]  that's part of occupational hazard, I guess. And part of the fun, of course, you know, took it
[10:10.010 --> 10:16.610]  apart, see what I could do and ribbon cable started breaking. I was like, wow, okay,
[10:17.330 --> 10:22.370]  we'll revisit this. And so that's what I did. I waited probably, you know, a couple few more
[10:22.370 --> 10:30.390]  months. And, and then finally decided, okay, well, I'll just order another one. And fortunately,
[10:30.390 --> 10:38.150]  this one came with the latest firmware. So I didn't have to break it. And within an hour
[10:38.150 --> 10:44.670]  of opening that one, I had confirmed the bug. And I actually did it through the browser.
[10:45.220 --> 10:56.130]  I mean, as far as bugs go, super duper easy to find and to some degree to reproduce.
[11:01.640 --> 11:06.660]  I mean, so basically, like the first time I powered it up, I opened up Chrome,
[11:06.660 --> 11:13.880]  failed to log in a few times. And then and then we saw that. And so I quickly wrote it up,
[11:13.880 --> 11:18.860]  looked up like, hey, does Mitel have a bug bounty program? That would be cool.
[11:19.080 --> 11:27.200]  No, they didn't. But they did have a really good vulnerability disclosure presence, I guess.
[11:27.200 --> 11:33.360]  And, and clearly, like, you know, they have a program and a team that's handling only those
[11:33.360 --> 11:41.460]  things. So that worked out good. So I basically reported it to them immediately. And
[11:43.300 --> 11:45.260]  let's see, I don't want to get ahead of myself.
[11:48.080 --> 11:51.360]  And I'm not going to spend too much time on that, because I'm going to show you in person.
[11:51.740 --> 12:00.440]  Yeah, okay, we're on track here. So, so, you know, as far as I was concerned,
[12:00.440 --> 12:05.600]  I reproduced it, and I wrote it up, sent it off. And, and they were very, you know,
[12:05.600 --> 12:10.400]  prompt and professional. And within a few days, I had a response like, hey, thanks,
[12:10.400 --> 12:16.500]  we'll look into it. And a couple few weeks went by, and then they emailed me and like,
[12:16.500 --> 12:25.560]  hey, we can reproduce this. And so like, you know, for a bug bounty hunter, like not being
[12:25.560 --> 12:30.720]  able to reproduce your report is probably one of the worst possible things that could happen.
[12:30.860 --> 12:36.840]  And so I'm like, oh, man, you know, here I am just some schmuck on the internet,
[12:36.840 --> 12:41.120]  emailing these guys saying, hey, your stuff's broken. And they're like, no, it's not.
[12:43.560 --> 12:48.960]  So fortunately, for me, I guess, I was able to figure out what happened there. And as it turns
[12:48.960 --> 12:54.700]  out, like, I never did get it to reproduce in a browser again, which kind of makes sense,
[12:54.700 --> 13:01.040]  because it's basically just random memory. And you never really know, like, Chrome is not going
[13:01.040 --> 13:06.560]  to know what to do with a bunch of crazy stuff. And so like, the first time I did it, it just
[13:06.560 --> 13:13.340]  happened to work in the browser. But basically, every time after that, I had to use like Netcat.
[13:13.340 --> 13:20.560]  But using Netcat or Telnet or whatever, it is super duper reproducible. It's actually kind of
[13:20.560 --> 13:31.280]  impressive how much you can get from it. So that was pretty cool. They do have a GPG key or PGP,
[13:31.280 --> 13:42.780]  I guess. So like, I probably did it the hard way. But, you know, I literally just use like
[13:42.780 --> 13:49.720]  GPG command line. So for someone who's used to reporting stuff to companies through bounty
[13:49.720 --> 13:54.840]  program, where they have basically like, you know, a website, HTTPS, they provide all the
[13:55.180 --> 14:07.380]  to upload evidence and tutorials and all that stuff. So major kudos to Mitel for basically,
[14:07.380 --> 14:12.700]  you know, being willing to hear and having people and the resources dedicated to fixing
[14:12.700 --> 14:20.360]  these problems. Like, you know, that in and of itself is a huge thing. One of the takeaways for
[14:20.360 --> 14:28.440]  me, and not necessarily for me, but something that I would like to help some of these companies
[14:30.520 --> 14:38.360]  appreciate is, you know, the burden and really for them the potential for human error. Because,
[14:38.360 --> 14:44.600]  you know, when you are like manually doing all that, even even understanding asymmetric
[14:44.600 --> 14:50.140]  cryptography, you know, I still have to take a second like, okay, so I'm sending this to them.
[14:50.870 --> 14:55.600]  They need to be able to open so I got encrypted their public key. You know, I got a generated
[14:55.600 --> 15:02.500]  private key from their reply. So that's just a lot of logistical stuff that I think a lot of people
[15:02.500 --> 15:11.460]  may not have the patience or background for. And so, you know, that could could have some
[15:11.460 --> 15:18.660]  some pretty negative impacts if they basically just, you know, if someone else reporting a bug,
[15:18.660 --> 15:24.000]  failed to do that properly. And next thing you know, you're sending it over HTTPS or playing
[15:24.000 --> 15:35.780]  on HTTP. You know, not really cool. So it ended up actually being, you know, P1, I guess, in my terms.
[15:39.640 --> 15:46.180]  So pretty interesting. ModCell is a CVE naming authority. Oh, no. Oh, yeah, PowerPoint,
[15:46.180 --> 15:51.240]  corrected that for me again. So basically, one of the things that was cool for me
[15:51.240 --> 15:58.500]  in this experience was learning the process for CVE. And I actually had another
[15:59.640 --> 16:06.780]  program, another bug through a natural bounding program, pretty much simultaneously. And it was
[16:06.780 --> 16:14.680]  interesting because like there, that one was not a CNA, Mitel is a CNA. And so walking that path
[16:14.680 --> 16:23.920]  and understanding the different roles, and how you do it, and how you coordinate it, it's not
[16:23.920 --> 16:30.780]  very hard at all. And MITRE basically has like a PowerPoint that walks you through everything.
[16:31.740 --> 16:37.920]  But you know, it's kind of cool to go through the experience and understand it. Okay. So
[16:39.120 --> 16:47.680]  now we'll do some fun stuff. Okay.
[16:59.870 --> 17:28.440]  Okay, I'm sorry. I'm going to switch this off. My bad. I guess I have to maximize this window.
[17:41.640 --> 18:08.340]  There we go. Okay. We'll see how this goes. And if I get too annoying on top of it, I will
[18:09.060 --> 18:12.540]  swagger. Okay, so basically, I have like,
[18:14.660 --> 18:27.970]  have one of these phones right here. And so, okay. So if we just
[18:32.700 --> 18:38.020]  basically, okay, plain old as vanilla as you can get,
[18:38.020 --> 18:45.740]  HTTP request, write that to like a text file. And then cap that, type it to this
[18:49.240 --> 18:57.100]  non-porting. Okay, 401 unauthorized. That's perfectly acceptable, normal, expected. We'll
[18:57.100 --> 19:02.260]  do that a few times. I don't remember exactly how many it is. Okay, probably about that many,
[19:02.260 --> 19:08.280]  five, something like that. Which really, so like, you know, this came about
[19:10.260 --> 19:17.340]  I always think it's interesting when you see like, multiple level deep failure of code.
[19:17.400 --> 19:22.840]  And so like, this one is especially interesting, because it's in an actual security control.
[19:22.840 --> 19:29.040]  And so like, I think there's really a lesson to be learned for all of us. You know,
[19:29.040 --> 19:37.780]  whether you're a penetration tester, or building a system, or software developer,
[19:37.780 --> 19:43.500]  or, you know, on like the IT security compliance side of things,
[19:45.940 --> 19:52.200]  you know, don't just check the box, push it a little bit, because no one would think to
[19:54.920 --> 20:01.580]  set up these particular circumstances to see what happens. But those are exactly the types
[20:01.580 --> 20:08.420]  of things that lead to some of the most impactful vulnerabilities. And, you know,
[20:08.420 --> 20:11.480]  I mean, there's all sorts of really good resources on that.
[20:14.120 --> 20:20.040]  Like, so the other day, I was like rewatching, I think, Sammy Kamkar's 2016
[20:21.600 --> 20:27.580]  talk at AppSecCollege. And he basically, it's just very interesting to listen to someone with
[20:27.580 --> 20:33.160]  his level of experience, because he's explaining his thought process. And he's like, so I asked
[20:33.160 --> 20:38.440]  myself, what would happen if I did this? What would, what if I did this? Could I make it do
[20:38.440 --> 20:48.700]  that? And, and that's the kind of basically, like structured, but creative, and out of the box
[20:48.700 --> 20:57.380]  thinking that, that it takes to, to find impactful vulnerabilities, and not end up like with a whole
[20:57.380 --> 21:02.140]  bunch of duplicates and get frustrated with the whole process. Okay, so at this point, I've
[21:02.140 --> 21:11.220]  basically locked out the account, and it's locked up. Yeah. So, so I've written a script here at
[21:11.220 --> 21:24.160]  this point, make it real easy. Give me a second. See what that is. Okay, some of that has to do
[21:24.160 --> 21:32.120]  with being able to make it so people can call in. But basically, the key thing there, you can see,
[21:32.140 --> 21:37.360]  I guess you can see here, right? Same thing I just did, but we're doing it
[21:38.520 --> 21:46.180]  20 million times or something like that. Okay, so what I'm going to do,
[21:46.180 --> 21:50.200]  this is the number here. Okay, so I'm going to fire that off.
[21:50.820 --> 22:03.540]  That should just basically start spilling its guts. Yeah, it's ringing right here.
[22:11.190 --> 22:16.510]  Okay. I mean, I have literally sacrificed one of these devices to the demo gods.
[22:16.630 --> 22:22.650]  So I fully expect that this is going to work right off the bat.
[22:25.730 --> 22:52.540]  Let's see. Obviously not. Okay. Maybe then we did. Let's just take another look at that real quick.
[23:16.790 --> 23:22.390]  Let's take a look and see. We're getting something.
[23:24.210 --> 23:33.230]  That should be good. Okay. Sometimes, you know, you totally mess up your shell.
[23:36.740 --> 23:40.160]  So let me just re-open the new shell today.
[24:35.370 --> 24:39.250]  You know, this wouldn't be fun if it worked immediately, I guess.
[24:58.060 --> 25:00.020]  We'll simplify it for a second.
[25:14.160 --> 25:17.660]  Oh my goodness. I'm such a doofus. I'm so sorry.
[25:18.340 --> 25:21.640]  It is literally doing exactly what it's supposed to. I apologize.
[25:24.180 --> 25:35.280]  I forgot that I changed it up. Okay. So that is, at this point, basically just pushing to a file.
[25:37.750 --> 25:41.270]  And I'm going to open another window and we're going to monitor that file.
[26:00.010 --> 26:09.030]  Cool. And, okay, so we will, this guy just created a script. It's going to sit there.
[26:11.090 --> 26:20.160]  So, just making sure I don't have anything where to go off. Okay.
[26:20.580 --> 26:25.060]  Okay. So if nothing is happening, it doesn't do anything.
[26:25.060 --> 26:29.950]  It just sits there and does nothing. So when I initially got it, basically,
[26:29.950 --> 26:35.650]  uh, how I confirmed it was just go in here and play with stuff.
[26:35.790 --> 26:42.610]  And it was kind of neat because I would start to see, kind of going to do a bunch of stuff.
[27:35.390 --> 27:40.990]  I didn't say a lot. Yeah. Wow. That's an incredible amount of stuff. Okay. Yeah. So
[27:40.990 --> 27:45.870]  there we go. That's what I was expecting. Like literally the thing is just puking its guts up.
[27:46.430 --> 27:53.450]  And, uh, you know, it's kind of neat. So like, you know, I've seen CVEs come across,
[27:53.450 --> 28:04.430]  like I subscribed to the RSS feed and, um, sometimes like memory disclosure can be tricky to,
[28:04.430 --> 28:09.570]  to exploit, to actually get something valuable because it's, you know, a lot of times you don't
[28:09.570 --> 28:15.790]  have control over exactly which, uh, memory space you're going to get. And so one thing that's
[28:15.790 --> 28:24.830]  kind of neat about this is, uh, just how easy it is to get stuff. It's kind of funny. That's
[28:24.830 --> 28:30.010]  why I named this talk. What I did, because it's like, basically other than me, like breaking the
[28:30.010 --> 28:40.210]  device, um, everything just like lined up the stars aligned and, you know, at the end of the
[28:40.210 --> 28:46.950]  day, the world's a safer place. So what, what I thought was really cool one time is I was sitting
[28:46.950 --> 28:52.770]  in here and I like changed the password. I'm in the admin portal and, uh, and I saw it right there.
[28:52.870 --> 29:00.250]  I'm like, okay, well, there's secrets right there. And, um, uh, one of my slides, you can't really
[29:00.250 --> 29:06.190]  read it very well, but basically, um, when you configure the SIP endpoint, uh, you had, you know,
[29:06.190 --> 29:14.410]  you have to give your credentials and, uh, I could see those in the dump as well. Okay. So
[29:16.350 --> 29:20.870]  at this point, what I'll do, so I've got a couple of numbers registered to this.
[29:20.990 --> 29:27.090]  Um, so what I'll do is since we've done a bunch of stuff, I'm going to reboot this phone
[29:27.730 --> 29:37.810]  and, uh, that basically will, uh, basically like wipe its, uh, RAM and, uh,
[29:37.810 --> 29:46.810]  also let me get to the web interface to change this phone number while that's rebooting.
[29:47.670 --> 30:22.990]  I'll talk about a couple of things here. Okay. Yeah. So obviously there's not a whole lot of
[30:22.990 --> 30:33.430]  technical, uh, chops being, uh, put on display for finding this one. Let me kill this before it
[30:33.430 --> 30:43.890]  locks out this phone again. Okay. Uh, so, but there, but what this did do was presents a lot
[30:43.890 --> 30:49.890]  of opportunities, uh, to, for like, I guess, lessons that I already knew, but kind of reinforced
[30:49.890 --> 30:54.290]  them and some insights about things that I had not really thought about. And so,
[30:54.990 --> 30:59.850]  you know, we have all these sayings, like, you know, hacking stuff and funding for profit.
[31:00.510 --> 31:06.170]  Um, and, and I've used that myself and, you know, sounds cool, but never really thought about it,
[31:06.770 --> 31:14.530]  the actual words. And, um, but it kind of hit me the other day, I was reading some,
[31:14.530 --> 31:20.970]  you know, someone's Twitter or something, and basically people just like going off and, uh,
[31:20.970 --> 31:24.630]  you know, just really struck me, uh, that,
[31:26.290 --> 31:30.310]  I think sometimes we need to step back and see where we're at, how we got here
[31:30.310 --> 31:40.810]  and where we're going and really why we're doing what we're doing. Um, because not that long ago,
[31:40.810 --> 31:46.110]  and even still today, you, you know, a security researcher would find something like this and
[31:46.110 --> 31:57.270]  reach out to a company and either not get a response or get sued. And so for me to be able
[31:57.270 --> 32:07.830]  to just reach out to them and, you know, basically just browse my way to a 10 and 9.8 CVSS bug on
[32:07.830 --> 32:19.250]  Shodan with absolutely no intent, uh, and then find the company and they have a, uh, a disclosure
[32:19.250 --> 32:24.450]  program. They want to hear about it. They're very friendly and professional. And, uh, and then they
[32:24.450 --> 32:32.730]  fix it. And, uh, and it all just like went so swimmingly like that. That didn't just happen
[32:32.730 --> 32:42.710]  out of nowhere. Uh, there was a whole like industry-wide, I don't know what you want to
[32:42.710 --> 32:53.330]  call it, but you know, issue 10 years ago, maybe not that long ago. And, uh, okay.
[32:53.970 --> 33:00.170]  Where like the whole question of vulnerability disclosure was a huge deal. And basically it
[33:00.170 --> 33:04.270]  got to the point where, where researchers are like, well, you know, we all love technology
[33:04.270 --> 33:09.690]  and we all want the technology that you're building. We all need it. I think like COVID
[33:09.690 --> 33:19.270]  for example, just shows how important technology is to humankind at this point. And, you know,
[33:19.270 --> 33:25.370]  I mean, as bad as it's been, how much worse would it have been, would it be, it's still going on,
[33:25.370 --> 33:31.610]  obviously. Uh, you know, if, uh, if the people who are working from home couldn't work from home,
[33:32.190 --> 33:36.890]  that's not to minimize the impact that it has had, but just to say like,
[33:37.410 --> 33:44.190]  you know, I guess it could actually be worse. And so like these companies, you know,
[33:44.190 --> 33:51.030]  SIP phones, for example, I mean, that is a key driver to the ability to work from home and have
[33:51.210 --> 33:59.050]  a distributed workforce. And so like, we rely on not only these things working and not only them
[33:59.050 --> 34:03.510]  being secure, but like the people's trust in them. Like that's the worst possible thing that
[34:03.510 --> 34:11.010]  could happen is if people just stop trusting the internet, uh, that that's going to be a problem.
[34:11.130 --> 34:20.130]  And no one is going to protect it or can protect it. So like it falls on this relatively tiny
[34:20.130 --> 34:31.150]  community. And, uh, and so yeah, I mean, we, it's a very high paying industry and about bug
[34:31.150 --> 34:37.250]  bounties. Like I was watching the, uh, interview between mayonnaise, I don't know his real name
[34:37.250 --> 34:42.510]  and the homestead the other day. And like, so he started doing bug bounties late 2018
[34:42.510 --> 34:49.010]  and has already made over a million dollars. I mean, that's amazing.
[34:50.390 --> 34:56.950]  But at the same time, it's important to, uh, to understand where we came from and not be so
[34:56.950 --> 35:02.310]  caught up in that stuff that we're basically going off on Twitter because somebody didn't
[35:02.310 --> 35:06.810]  pay us as much as we thought they should pay us for above. And, and that doesn't help anybody.
[35:07.230 --> 35:12.770]  Um, so I think like sometimes you got to do it for fun and sometimes you do it for profit.
[35:12.930 --> 35:18.390]  In this case, I did it for fun. And, uh, you know, the other day I was basically just like,
[35:19.030 --> 35:25.870]  what else can I do with this? And I thought this might be kind of cool. So actually the biggest
[35:25.870 --> 35:31.870]  issue I had with it was my internet connection is going through carrier grade NAT. So my public
[35:31.870 --> 35:38.710]  IP is not actually public. So getting the SIP traffic to me has been a debacle. Uh, but
[35:39.590 --> 35:46.470]  I actually, uh, applied something I picked up from the, uh,
[35:46.470 --> 35:51.630]  so hopelessly broken lab I was doing like last year with, uh, you know, tunneling stuff through
[35:51.630 --> 35:59.330]  SSH. And so that's what I'm doing right now is basically UDP SIP traffic is hitting a Twilio
[35:59.330 --> 36:05.750]  and going to AWS through an SSH session that I created outbound and getting forwarded all
[36:05.750 --> 36:20.300]  to this phone. So, uh, basically let me get a couple of things set up. What I was going to do
[36:22.040 --> 36:28.460]  is, uh, I'll post a number. I've got like scripts and everything, just grepping stuff out to mask
[36:28.980 --> 36:36.200]  phone numbers and stuff. But, uh, if you call and, uh, you saw how fast that's coming up here,
[36:36.200 --> 36:42.140]  it's grabbing the phone numbers and, uh, it's going to show the last four digits. And I think
[36:42.140 --> 36:49.380]  like the first one or something. And so, uh, if you call this number, I put up there and your
[36:49.380 --> 36:58.440]  number shows up on this board over here somewhere, uh, ping me after this and just tell me the
[36:58.440 --> 37:05.220]  remaining digits and your email address. And I'll send you a, uh, Kindle, like a redemption code for
[37:06.340 --> 37:17.830]  IOT hackers handbook. Um, okay. So I'm going to turn that off for one second. I'm going to mute
[37:17.830 --> 37:23.490]  myself so you don't hear me like clacking these keys and then, uh, just get a couple of things
[37:23.490 --> 37:42.360]  set up here and we'll be all set. Yeah. So I think I put this out there, but like only like the first
[37:42.360 --> 38:34.870]  five people can I do that for. Yeah. I'm not making any sense. Okay. There we go. At least
[38:34.870 --> 38:42.730]  nine, like you see what I'm doing here. Nothing crazy. Okay. It's going to clear up this one.
[38:42.730 --> 39:55.010]  Okay. My bad. You ever have yourself like double muted on a meeting or something? I basically just
[39:55.010 --> 40:14.190]  did that to myself. I'm sitting here talking to you. My bad. So I do have it on just basically
[40:14.190 --> 42:05.840]  ready to fire off. Well, that's actually the one we care about anyway. So that should work.
[43:16.650 --> 44:53.050]  Okay. And if anybody is watching that window, they probably realize it's literally not doing
[44:53.050 --> 45:32.940]  anything. Let me just hide that window so I don't dump people's phone numbers out.
[47:02.770 --> 47:08.010]  It looks like we're close. We're at the time here. So Sam, I guess you just let me know if you want
[47:09.050 --> 47:12.090]  to stop. But basically, we've got
[47:18.690 --> 47:24.030]  Yeah. So
[47:33.360 --> 47:38.560]  No, Matt, you're all good. If you want to sort of show anything off. I mean,
[47:38.560 --> 47:43.740]  like you're the last talk. So don't worry. I can keep going for a while. I mean, there's
[47:44.220 --> 47:53.600]  people there and you get time. That's cool. So I do. I mean, I can see this person's called right
[47:53.600 --> 48:01.900]  now. So, you know, I think I'm not in the discord at this moment. I was having some problem with it.
[48:02.000 --> 48:08.040]  But just ping me. I'll hop on there as soon as we get off here and give me your email address
[48:08.040 --> 48:22.170]  and I'll shoot that over to you. Yeah. 06275 might be the only one. Let's see.
[48:23.930 --> 48:43.100]  That would explain. 57702. So if these numbers are your phone numbers, you know,
[48:43.100 --> 49:15.480]  ping me. So that was that 293310. It's kind of funny. So like, because of the way I had to get
[49:15.480 --> 49:24.240]  that stuff working through SSH tunnels, it's basically does not understand that you hung up.
[49:35.350 --> 49:42.990]  Well, that was three. I'll go through here. And if there are two more unique ones,
[49:45.810 --> 50:00.660]  I will post that. There's one right there. 25120. And actually, I thought this may happen
[50:01.360 --> 50:06.140]  if you are actually using like a SIP trunk that's not PSTN source.
[50:08.740 --> 50:17.320]  So yeah, yeah, I put it together kind of cheap and fast. And you know how they say you can have
[50:17.320 --> 50:29.430]  things like cheap, fast and good pick two. This is cheap and fast. One second. If that's legit
[50:30.910 --> 52:06.130]  it. I believe that's anonymous. So I mean, if that is legitimately you, that's cool.
[52:07.030 --> 52:29.300]  Well, okay. 60918. I think that's five. So if any of those ring a bell to you,
[52:29.300 --> 52:36.500]  then just ping me after this. I'll send those codes over to you. And if that ends up being six,
[52:36.500 --> 52:54.150]  that's cool too. Okay. So let's switch. But actually, it was a little bit, I'm kind of glad
[52:54.150 --> 53:00.290]  it worked out like that, even though it was a little unplanned. I was, you know, based on what
[53:00.290 --> 53:06.030]  my testing, I was a little afraid like five people will call just like that. We wouldn't even be able
[53:06.030 --> 53:14.290]  to find them. So, okay. So I think I went through some of this already, most of this.
[53:17.970 --> 53:24.650]  But show Dan dorking. And someone mentioned a similar service to me the other day and I can't
[53:24.650 --> 53:32.270]  remember it. But a lot of times I think we go and we use these tools when we have found a
[53:32.270 --> 53:41.190]  vulnerability and we want to see the scale of the impact. I propose that you could,
[53:41.190 --> 53:46.310]  well, I mean, what this demonstrates is like, there's a lot of untapped data out there.
[53:48.490 --> 53:58.630]  And they have an API. And so it's like, if you're wanting to get into IoT, and don't want to go
[53:58.630 --> 54:03.690]  spend $142 on a phone and then break it and buy another one, which is completely understandable.
[54:04.630 --> 54:13.370]  One potential way to pick a target would be to use these APIs and, you know, structure a search
[54:14.230 --> 54:21.140]  that maybe, you know, searches for something like a bunch of 401s and then something unexpected. Or,
[54:21.140 --> 54:29.120]  you know, if you know a particular request, you know, the results for a certain type of device
[54:29.120 --> 54:37.120]  are typically of a certain size, search for things that are outside that realm. Excuse me.
[54:42.620 --> 54:50.600]  Okay. So yeah, this is kind of something like, I've just applied. So I've been doing computers
[54:50.600 --> 54:55.760]  professionally for 20 something years. And, you know, my whole life, I'm a geek at heart,
[54:55.760 --> 55:00.260]  I love it. And I do it because I love it. And I would be doing it even if I wasn't getting paid.
[55:02.480 --> 55:09.180]  And I've noticed over the years, whether it's in selling hardware, software, networking,
[55:09.180 --> 55:19.320]  or services, when you are invested in something, because you care about it, and,
[55:19.320 --> 55:29.940]  traditional salesperson, and just having fun, you know, money follows that, and it builds trust.
[55:29.960 --> 55:35.680]  So I would propose to people, like, especially people who are trying to get into the industry,
[55:35.680 --> 55:39.900]  and maybe see like, wow, look at all these people doing all this cool stuff, making all this money,
[55:39.900 --> 55:46.580]  this is so cool, I want to get me some of that. There's a whole lot behind the scenes that you're
[55:46.580 --> 55:54.800]  not seeing when you see that. And so it's very easy to get frustrated if you have like the wrong,
[55:54.800 --> 55:56.860]  you know, you're focusing on the wrong thing. And so
[55:59.740 --> 56:06.900]  hack for fun, and the profits will come. I truly believe that. And the only other thing on here
[56:06.900 --> 56:15.620]  that I want to point out is we really do need to praise these companies like Mitel. And there was
[56:15.620 --> 56:21.640]  someone else this week who gave a talk, and he's like, you know, this company was spectacular.
[56:22.480 --> 56:29.680]  I mean, that's not nothing. And really, like, you could put companies on like the,
[56:32.620 --> 56:39.320]  my goodness, the grief scale, right? Like, over here, you have denial, over here, you have
[56:39.320 --> 56:44.440]  acceptance. And 10 years ago, everyone was in denial. And if you went to them with it, they just
[56:45.600 --> 56:52.780]  preemptively sued you out of fear and denial. And there's still people there,
[56:52.780 --> 56:57.620]  still companies at that place. And then you have companies who are like, hey, you know,
[56:57.620 --> 57:03.020]  come hack us. And if you write us a good report, we'll pay you even if you don't find bugs.
[57:03.720 --> 57:09.700]  Because we care, and we want our stuff to work right. And you know, there's people everywhere
[57:09.700 --> 57:15.400]  in between. And while we as, you know, even if you're not in this for like bug bounties,
[57:15.400 --> 57:22.880]  but you're in it for whether it's just the good of the internet, or pen testing as a career,
[57:22.880 --> 57:32.200]  whatever it may be. There are some elements that are similar to like traditional IT jobs,
[57:32.200 --> 57:37.940]  where like, you don't just walk into a company and be like, hey, you know, let's replace all your
[57:38.480 --> 57:45.020]  computers and Windows upgraded to 2019. And all this, you know, exchange in the cloud tomorrow,
[57:45.020 --> 57:51.200]  you have to build a relationship and trust and understand them. And there's a whole bunch of
[57:51.200 --> 57:58.900]  stuff that goes into that. And I think if you approach this industry with that same attitude,
[57:58.900 --> 58:04.520]  where we'll get to a place where we understand that like, software vulnerabilities are going to
[58:04.520 --> 58:11.440]  happen. It doesn't matter, like what controls you have in place, human beings are writing it,
[58:11.440 --> 58:19.560]  and it is only human to make mistakes. And we don't want to like stigmatize it. Actually,
[58:19.560 --> 58:24.680]  I think we should praise people who are doing it. And, and really where we're at right now is
[58:24.680 --> 58:31.340]  there's basically like a set of companies who are like subsidizing this, this burgeoning industry.
[58:31.340 --> 58:35.780]  I realize it's, you know, quite a several years old, but in the grand scheme of things,
[58:35.780 --> 58:44.200]  it's still pretty new. And so we need to move these companies from over here to over here.
[58:44.200 --> 58:51.460]  And that's going to take time. And I can, I can think of one scenario, in my own experience,
[58:51.460 --> 58:57.600]  where basically, like I reported something to a company, clearly was an impactful bug.
[58:58.040 --> 59:03.680]  They didn't see it that way. You know, I didn't, I was like, okay, cool. You know, that's cool.
[59:04.380 --> 59:10.560]  Yeah, I didn't push it. I haven't returned to their program since then. But I actually noticed
[59:10.560 --> 59:16.500]  like a few weeks ago, maybe a month ago, you know, now they're doing things to try to attract
[59:17.700 --> 59:22.440]  researchers to their program. So what I think is happening there is like they probably realize
[59:22.440 --> 59:31.660]  yeah, we're not getting much traffic. And so they're slowly moving over in this way. And,
[59:31.660 --> 59:37.260]  you know, it takes time. And if you're getting upset going off on Twitter, or, you know,
[59:37.260 --> 59:42.100]  just being unprofessional, not only is that going to hurt you, but that's going to hurt
[59:43.340 --> 59:49.900]  the whole industry. Because, I mean, you represent this industry to those people.
[59:49.900 --> 59:55.980]  And, and that's that can be dangerous for us all, because really, at the end of the day,
[59:56.620 --> 01:00:07.520]  we do need all this stuff to work. And I mean, like, the Great Firewall of America is now a
[01:00:07.520 --> 01:00:11.640]  topic of discussion. I mean, that that's like a vote of no confidence in the internet. That's
[01:00:11.640 --> 01:00:23.680]  concerning. And we need to not let that happen. And okay. So I'm 15 over. So that's cool.
[01:00:23.940 --> 01:00:29.760]  Thanks for the extra time. Ping me afterwards if any of those numbers were yours.
[01:00:30.020 --> 01:00:33.200]  Thanks for your time. Happy DEF CON.
